HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability
- Severity:
- Medium
Description
A Server-Side Request Forgery (SSRF) vulnerability that affects all users running the HackMD MCP server in HTTP mode. Attackers could exploit this vulnerability by passing arbitrary hackmdApiUrl values through HTTP headers (Hackmd-Api-Url) or base64-encoded JSON query parameters.
Recommendation
Update the hackmd-mcp package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.4.0, < 1.5.0
- Patched version(s): 1.5.0
References
Related Issues
- Nu Html Checker (vnu) contains a Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-15104
- Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format - CVE-2025-64430
- Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter - CVE-2025-68150
- google-translate-api-browser Server-Side Request Forgery (SSRF) Vulnerability - CVE-2023-48711
- Tags:
- npm
- hackmd-mcp
Anything's wrong? Let us know Last updated on September 15, 2025